Cyber Security Institute

Wednesday, May 30, 2007

Are security pros worrying about the right stuff?

This is the first in a series of stories on the most important security issues facing the enterprise.  “As a rule, men worry more about what they can’t see than what they can.”  Worrying almost seems to define the job of the CSO and CISO.  The security chief is the corporate standard bearer for risk management in a world fraught with technical and human error, with hackers potentially lurking within and without.  When asked what they worry about, CSOs and CISOs cite regulatory compliance and security controls overlooked in IT projects.  Some acknowledge a general angst that simply boils down to the great unknown of system-wide chaos.  But are security pros worrying about the right things?  When asked this, many independent observers—- former CSOs or consultants working with CSOs—- offer a different perspective.

MORE... (0) Comments

Friday, May 25, 2007

PCI Compliance: It Pays Off

When it comes to doubters of the PCI data security standard, A. Bryan Sartin of Cybertrust says one statistic speaks for itself: No organization that has been completely compliant with PCI has been compromised.  Sartin, a computer forensic investigator, says he is only “slightly biased” by the fact he teaches PCI compliance.  “PCI is a very good thing,” he insists, adding that “If you are a person who performs security assessments, it’s not a burden. 

MORE... (0) Comments

Thursday, May 24, 2007

Move to Web 2.0 Increases Security Challenges

Web 2.0 isn’t just for the likes of MySpace and YouTube anymore. Mainstream companies are catching the fever.  The only problem is, they might be rushing headlong into something that could put their network—and their customers—at risk.

MORE... (0) Comments

The ABCs of New Security Leadership

September 11 profoundly changed the public perception of national security; the Enron accounting scandal and a rash of similar scams alerted us to widespread deficiencies in corporate governance, accountability and ethics.  But every security leader knows that as time passes after any incident - no matter how demonstrative - corporate concern for the issues brought to light by that incident tends to wane.  Maintaining the right level of boardroom and employee awareness is a consequence of leadership.  And more effective ideas and tactics are replacing the old, reactive security leadership paradigm.  Below, CSO looks at what’s Out and what’s In.

MORE... (0) Comments

Wednesday, May 23, 2007

Management, security challenges threaten virtualization’s success

Successful implementations of virtualization in enterprise production networks depend less upon virtual server vendors and more upon management and security technology providers adapting their products to the new paradigm virtual environments represent, according to sessions at Interop.  All server forums As more enterprise IT managers look to virtualize x86 servers in production networks, industry watchers warn that management and security technologies must also be considered before deployment.  For one, virtualization will tax tomorrow’s networks as today’s tools fail to keep up with the rate at which virtual servers proliferate and network managers succumb to virtual server sprawl.  With all the benefits of virtual servers—speedy roll outs, efficient resource consumption and made-to-order test environments—the network traffic that passes among virtual server instances can be lost to traditional network management and security tools, putting environments at greater risk for performance failures and security threats, industry watchers say.

MORE... (0) Comments

Tuesday, May 22, 2007

IBM Internet Security Systems Accelerates Network Performance with New Intrusion Prevention Applianc

IBM unveiled an intrusion prevention appliance that is designed to transmit and protect network traffic at core network speeds.  The new Proventia Network Intrusion Prevention System (IPS) GX6116 supports throughput of up to fifteen gigabits per second (Gbps) with preemptive protection for up to six Gbps of network traffic.

MORE... (0) Comments

Laser targeting by hackers

A new batch of reports on malicious code are out, and the news just keeps getting worse. Hackers continue to come up with new and better schemes for getting past our defenses.  Internet security service provider MessageLabs uncovered some interesting trends in its report on online threats for March. Not only did the number of targeted attacks go up, but the attacks are becoming more narrowly targeted.  By a wide margin, the most common of the 249 low-volume, high-value attacks identified by the company consisted of a single e-mail sent to one person. Nearly one quarter of the individuals targeted were in government, and that sector was the most commonly targeted by these attacks, by a two-to-one margin. The electronics, aviation, retail, communications and finance sectors rounded out the top tier of targets.  The bad guys know which organizations have data worth stealing and are picking them out one by one, said MessageLabs senior anti-virus technologist Alex Shipp.

MORE... (0) Comments

NIST releases FISMA security control tools

The National Institute of Standards and Technology has released a suite of tools to help automate vulnerability management and evaluate compliance with federal IT security requirements.  It is an automated checklist that using a collection of recognized standards for naming software flaws and configuration problems in specific products.

MORE... (0) Comments

Monday, May 21, 2007

New Rules May Ease SOX Audits

New guidelines for auditors of Sarbanes-Oxley compliance could take effect later this week, lowering the cost of SOX initiatives and reducing companies’ dependence on auditors to interpret SOX requirements.  The Public Company Accounting Oversight Board (PCAOB)—a private, nonprofit entity that gives guidance to the many auditors who evaluate SOX compliance—on Thursday is scheduled to vote on a range of new recommendations, many of which will make it easier and less expensive for companies to meet the legal regulations.  “These changes could have a very profound effect on the whole compliance effort,” says Chris Davis, manager of compliance knowledge management at Cybertrust, which offers security and compliance tools and services.

MORE... (0) Comments

Friday, May 18, 2007

ISO 2700—Security Sleeper

Let’s face it, the ISO security standards—first ISO 17799, which I covered in detail back in March of 2003, and now ISO 27001 and 27002, which are replacing it—are real yawners.  Would you really have eaten your peas at age 4 if your mama didn’t make you?  Funny thing is, despite the fact that they are boring but good for you, the ISO standards may now be turning into the sleeper hits of the season.

MORE... (0) Comments

Microsoft tweaks Patch Tuesday advance notification

Microsoft Corp. on Wednesday said that customers have convinced it to flesh out the monthly advance notice of impending security updates with more information.  Beginning in June, the advanced notice will offer more detail than before, Mark Miller, director of the Microsoft Security Response Center (MSRC), said on the group’s blog.  Rather than earlier bare-bones guidance, which was limited to the software affected—Windows or Office, for instance—and the maximum severity rating of all the updates, the MSRC will now summarize each bulletin separately the Thursday before patches are issued.

MORE... (0) Comments

Thursday, May 17, 2007

Security: New Study IDs Top Threats

It seems no matter how many companies make the news because of IT security problems—-recent victims and foul-ups include AOL LLC, AT&T Inc., Sovereign Bancorp Inc., the TJX Companies, UCLA and Verizon Wireless—-the perceived state of security resembles Garrison Keillor’s mythical Lake Wobegon, the town “where all the women are strong, all the men are good-looking, and all the children are above average.”  ccording to this year’s security survey, most IT executives still say their corporate security is strong, risk of a breach is moderate or low, and confidence in their ability to fend off attacks is rising.  About 85 percent of our 187 respondents feel certain they can keep their company’s money safe from thieves’ clutches.  But these assurances seem increasingly na├»ve as time goes on.

MORE... (0) Comments

Traffic-Scanning Flaw Hits 90+ Vendors

It’s not every day that US-CERT warns of a flaw that is potentially so widespread that it could affect more than 90 vendors covering a huge swath of the IT industry.  US-CERT’s HTTP content scanning systems full-width/half-width Unicode encoding bypass flaw could potentially be one of the most widespread networking security flaws discovered in years.  If exploited, a malicious user could use the bypass to attack a vulnerable environment.

MORE... (0) Comments

Tuesday, May 15, 2007

OpenSEA Aims for Better Authentication

The new OpenSEA Alliance, incorporated in California as a nonprofit, plans to focus on developing a supplicant for the 802.1X standard of port authentication.  As its first project, OpenSEA plans to develop a cross-platform, open-source 802.1X supplicant using the Firefox Web browser as a model.

MORE... (0) Comments

Friday, May 11, 2007

Log Management Crucial to Effective Security

One of the best ways financial institutions have of protecting critical infrastructure is to monitor system logs, which contain a gold mine of information about the health of the network.  When properly configured, logs record the day-to-day activity of system users, administrative changes made to critical production systems, and evidence produced by malicious activity.  With the right logging configuration financial institutions can capture the history of a hacker’s activity, from the establishment of unauthorized accounts to the installation of back-doors, enabling them to quickly isolate and repair affected systems after an intrusion.

MORE... (0) Comments

RSA enVision boasts HA features and integration with EMC storage.

Formerly from Network Intelligence (acquired by RSA parent company EMC in September of 2006), RSA enVision is a centralized, appliance-based offering that facilitates both the collection/storage, and analysis of event data from disparate security and network devices.  Based on a locked-down Windows OS, the enVision appliance is managed remotely (one or many appliance can be so managed) with scalability listed from 500 to 3,000,000 EPS and from 320 GB to 3 TB per appliance.

MORE... (0) Comments

Intel, PGP In Security Hookup

Intel and PGP have announced a partnership to sell encryption products on systems with Centrino Pro and vPro technologies.  Intel (Quote) will integrate PGP’s products into its Active Management Technology (AMT) framework, which enables IT administrators to remotely troubleshoot desktops and notebooks.

MORE... (0) Comments

Monday, May 07, 2007

Oracle Makes Bid to Streamline Data Auditing

Oracle has released an audit management tool company officials say will help address both regulatory compliance issues and the so-called insider threat facing enterprises.  Organizations can use Oracle Audit Vault to centrally manage their database auditing configuration and deploy uniform audit policies, said Vipin Samar, vice president of database security at Oracle.

MORE... (0) Comments

Thumb Drives Replace Malware As Top Security Concern, Study Finds

A worker calls up a sensitive investor list and downloads it on her thumb drive, slips it into her pocket, and walks out, smiling and waving to her boss and the security officer stationed at the front door.  According to one recent study, IT managers said portable storage devices, such as thumb drives and MP3 players, have surpassed even malware to become a top concern.  The study, which polled 370 IT professionals, showed that 38.4% of IT managers say portable storage devices are their top security concern.

MORE... (0) Comments

Sunday, May 06, 2007

How to Get Strict - and Savvy - With Data Surveillance

Insider threat evokes a variety of menacing images for internal auditors and others responsible for protecting organizations from malicious or irresponsible acts.  With the implementation of new technologies and the expanding dependence on data collection in the public and private sectors, this vulnerability has increasingly become an information security and privacy issue.  Employees are now able to access vast amounts of highly sensitive financial, medical, education or credit information for unauthorized, and potentially malicious, reasons.  Ongoing Surveillance Data surveillance is a strategy that allows organizations to safeguard the confidential data critical to their success, without restricting access to information that would impede the key business processes for which it was collected.

MORE... (0) Comments

Friday, May 04, 2007

Security’s Top Five Priorities

For security professionals, the awake-at-night issues keep changing.  Security threats, apparently, are like politically-incorrect comments by Don Imus: There’s a new one every few minutes.  And so, in one final nod to Dark Reading’s first anniversary this week, they’ve done some research on security professionals’ current concerns, and those they foresee in the immediate future.  The following is a synopsis of what they found.  As you’ll see, some of the top issues and priorities in IT security have shifted significantly in the scant four months since we last asked this question.  But read it fast—the next sea change can’t be far away.

MORE... (0) Comments

Thursday, May 03, 2007

Microsoft Unveils New Management and Security Tools

Microsoft on Wednesday unveiled a range of new infrastructure management and security tools designed to help businesses more efficiently control their IT assets while fending off viruses, malware, and other cyberthreats.  The company’s new Forefront Client Security software is designed to warn IT security managers about emerging threats and vulnerabilities through a central management interface that integrates with System Center solutions, Active Directory directory services, and other Microsoft technologies.

MORE... (0) Comments

Promisec Survey Reveals Top Threats

Findings of the Promisec summary audit revealed that 25,090 (13%) of the corporate PCs surveyed had unauthorized USB devices attached to them, opening the door to data loss and the opportunity for USB-borne viruses and malware to enter the corporate network.

MORE... (0) Comments